Skip to content

Commit

Permalink
Adding behaviour strings to PS1Profiler, either inspired by or suppor…
Browse files Browse the repository at this point in the history 
…ted by QuickScope's inclusion of these strings
  • Loading branch information
@cccs-kevin
cccs-kevin committed Dec 12, 2023
1 parent 3433cbb commit 979995c
Show file tree
Hide file tree
Showing 14 changed files with 509 additions and 55 deletions.
2 changes: 1 addition & 1 deletion tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json
View file
Expand Up @@ -168,7 +168,7 @@
},
{
"auto_collapse": false,
"body": "Marks: Net.WebClient, DownloadString",
"body": "Marks: WebClient, DownloadString",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down
64 changes: 63 additions & 1 deletion tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 2063,
"score": 2173,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -262,6 +262,54 @@
"title_text": "Signature: Sleeps",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: EncodedCommand",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: -ExecutionPolicy",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Evasion": 10
},
"signatures": {
"Evasion": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Evasion",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
Expand Down Expand Up @@ -784,6 +832,20 @@
"Sleeps"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Evasion"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
66 changes: 64 additions & 2 deletions tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1331,
"score": 1441,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -223,7 +223,31 @@
},
{
"auto_collapse": false,
"body": "Marks: [System.Convert]::FromBase64String(",
"body": "Marks: Text.Encoding, System.Convert",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: FromBase64String(",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -317,6 +341,30 @@
"title_text": "Signature: Imports BitsTransfer",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: env:APPDATA",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Filesystem": 10
},
"signatures": {
"Filesystem": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Filesystem",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: Downloader, Imports BitsTransfer, Deobfuscation, Compression, Sleeps",
Expand Down Expand Up @@ -408,6 +456,13 @@
"Sleeps"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down Expand Up @@ -436,6 +491,13 @@
"Imports BitsTransfer"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Filesystem"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
35 changes: 33 additions & 2 deletions tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 541,
"score": 641,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -38,7 +38,7 @@
},
{
"auto_collapse": false,
"body": "Marks: wget",
"body": "Marks: TCPClient, wget, Net.Sockets, AcceptTcpClient",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -108,6 +108,30 @@
"title_text": "Signature: Hidden Window",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: Text.Encoding",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: gwmi",
Expand Down Expand Up @@ -199,6 +223,13 @@
"Hidden Window"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
68 changes: 65 additions & 3 deletions tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 151,
"score": 261,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -66,7 +66,7 @@
},
{
"auto_collapse": false,
"body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode]::Decompress, IO.Compression.DeflateStream, IO.MemoryStream",
"body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode, IO.Compression.DeflateStream, IO.MemoryStream",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand All @@ -90,7 +90,31 @@
},
{
"auto_collapse": false,
"body": "Marks: [Convert]::FromBase64String(",
"body": "Marks: Text.Encoding, System.Convert",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: FromBase64String(",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -160,6 +184,30 @@
"title_text": "Signature: Byte Usage",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: IO.File",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Filesystem": 10
},
"signatures": {
"Filesystem": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Filesystem",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
Expand Down Expand Up @@ -264,6 +312,13 @@
"Compression"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand All @@ -284,6 +339,13 @@
"signatures": [
"Byte Usage"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Filesystem"
]
}
],
"tags": {
Expand Down

0 comments on commit 979995c

Please sign in to comment.